This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 76%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
In my domain we are getting event id 4624 for successful login for the deleted user account. How to resolve the issue
Hi,
A couple of things to check, the account name in the event is the account that has been deleted. If it's the UPN or Samaccountname in the event log as it might exist on a different account. Make sure that another acocunt with the same name has been created. If you have multiple domain in your forest, make sure that the account doesn't exist in another domain. Also make sure the deleted account is in the Deleted Objects OU.
Gary.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 94%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Hi
Could you add full event data ? Copy button when you are displaying it
Christophe
Hello @Balayuvaraj M ,
It would help if you can provide any of the next details from the ID 4624, as understanding from where and how that logon is made can tell a lot why it still appears.
This is a valuable piece of information as it tells you HOW the user just logged on:
Logon Type examples
Description
2 Interactive (logon at keyboard and screen of system)
3 Network (i.e. connection to shared folder on this computer from elsewhere on network)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
Impersonation Level: (Win2012 and later) Examples:
Anonymous: Anonymous COM impersonation level that hides the identity of the caller. Calls to WMI may fail with this impersonation level.
Default: Default impersonation.
Delegate: Delegate-level COM impersonation level that allows objects to permit other objects to use the credentials of the caller. This level, which will work with WMI calls but may constitute an unnecessary security risk, is supported only under Windows 2000.
Identify: Identify-level COM impersonation level that allows objects to query the credentials of the caller. Calls to WMI may fail with this impersonation level.
Impersonate: Impersonate-level COM impersonation level that allows objects to use the credentials of the caller. This is the recommended impersonation level for WMI calls.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
Got to know that their is deleted account with same name, Deleted from the AD recycle bin
Closing this thread
